mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
ec73de969f
AJP implementation in Tomcat is vulnerable to CVE-2020-1938 if used without shared secret. Set up a shared secret between localhost connector and Apache mod_proxy_ajp pass-through. For existing secured AJP pass-through make sure the option used for configuration on the tomcat side is up to date. Tomcat 9.0.31.0 deprecated 'requiredSecret' option name in favor of 'secret'. Details can be found at https://tomcat.apache.org/migration-9.html#Upgrading_9.0.x Fixes: https://pagure.io/freeipa/issue/8221 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>